Summary: | app-arch/createrepo removal request | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Pacho Ramos <pacho> |
Component: | Current packages | Assignee: | Alon Bar-Lev (RETIRED) <alonbl> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | alonbl, evert.gentoo, pinkbyte, treecleaner |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 499328 |
Description
Pacho Ramos
2017-06-06 10:56:34 UTC
If yum is removed, we can remove this one as well. However, until then, it is handy to create repo on Gentoo machine. +1, i use this for maintaining custom CentOS repo on Gentoo host # Michał Górny <mgorny@gentoo.org> (04 Aug 2017) # sys-apps/yum is severely outdated (last bump 2013), unmaintained # since 2010. It has vulnerabilities. Removal in 30 days. Bug #499328. # # app-arch/createrepo is the last unmasked dependency. Since it is not # useful at all without yum, it is being removed as well. Bug #620992. app-arch/createrepo sys-apps/yum I use app-arch/createrepo on Gentoo for maintaining my CentOS-7 repos. Please do *not* remove this package (unless a good alternative exists). (In reply to Evert from comment #4) > I use app-arch/createrepo on Gentoo for maintaining my CentOS-7 repos. > Please do *not* remove this package (unless a good alternative exists). Yum is one of the dependencies, so sadly, if yum goes away so should this. Sadly, redhat did not release any usable standalone tool. Just a quick brainstorm. You want to get rid of yum on Gentoo because of some Man-in-the-Middle vulnerability. When both yum and createrepo will be removed, we will no longer be able to maintain custom CentOS repos on Gentoo. If we want to continue to maintain custom CentOS repos on Gentoo, there are some alternative options: 1. copy both app-arch/createrepo and sys-apps/yum to our local Gentoo repo. 2. rsync custom centos-repo to a CentOS-7 vm, createrepo on the CentOS-7 vm and rsync custom centos-repo back to Gentoo (or something similar). Conclusion: alternatives exist. However, I (we?) prefer to keep on using createrepo on native Gentoo, preferably using non-local Gentoo repo. Since I think the Man-in-the-Middle yum vulnerability does not (really) apply to Gentoo, there is no real added value to remove yum & createrepo from Gentoo. So, please consider not to remove createrepo and it's dependency yum from Gentoo repo. Bug #499328 fixed - yum is bumped to up-to-date snapshot. No need to remove this package from tree. Closing this as WONTFIX Great :-D Thanks a lot! |